Intro
Cybersecurity is a dynamic and developing field within computer
science. The need for cybersecurity has
become increasingly clear in the public eye, as a growing number of companies,
federal agencies, and individuals have become victims of cyber-attacks. According to a study performed by the
Association of Financial Professionals, “more than 60 percent of companies have
been the victim of an attempted cyber-attack” (Pruitt). This often results in personal information,
including credit card numbers, being distributed among criminals. The hacking of personal photos and
information from celebrities and others has featured prominently in the news
over the last few years, as well.
As these attacks multiply in number and severity, there has been a
rallying cry to recruit more cybersecurity professionals to battle them. Postings for cybersecurity jobs have risen by
74 percent over the last five years, and the demand for such jobs is expected
to grow by 53 percent through 2018. Sadly,
the call to arms seems to have been left mostly unanswered. As of 2015, more than 209,000 cybersecurity
jobs in the U.S. remain unfilled (Setalvad), and the infrastructure that should
be pumping out qualified cybersecurity professionals left and right is
struggling to even meet the minimum requirement. So considering that “the demand for
cybersecurity professionals over the past five years grew 3.5 times faster than
demand for other IT jobs and about 12 times faster than for all other jobs,”
(Setalvad) why is this need not being met?
The answer is complex, and numerous people and organizations are taking
steps to encourage students to pursue a career in cybersecurity. But a strong defense against cyber-attacks is
not complete without an educated public.
Even with a team of qualified cybersecurity specialists on retainer, a
large corporation can have its information compromised simply by one employee
clicking on a malicious link in an email.
With this in mind, other organizations are attempting to bridge the
general public’s gap in knowledge when it comes to understanding and
implementing basic internet security principles.
The bottom line is that there are currently many gaps in our country’s
cybersecurity education program, and this blog is meant to inform you on what
they are, and what others have been trying to do about them.
The gender gap
In the big picture, one of the most glaring gaps, not just in
cybersecurity education, but in the IT field in general, is that of the
under-representation of women. Google
and Facebook have been under scrutiny after it was reported that less than 40
percent of their workforces were women. Data
from the federal Department of Education demonstrates that in 1983-84, computer
science degrees accounted for 2.4 percent of all bachelor’s degrees conferred
to women, but by 2011-12, that had shrunk to less than 1 percent
(Setalvad).
What’s curious is that this trend towards fewer women in computer
science runs counter to the trend in other scientific fields. So why the divergence from the norm? Setalvad cites some cybersecurity educators
in California as saying that they believe this trend is representative of two
things: a lack of encouragement for female students, and the prominence of a negative
stereotype about computer enthusiasts.
One teacher named Phillip Ye put it this way: “Computer science isn’t
glamorous… Popular culture always
portrays [cyber-professionals] as nerdy males who live in their mom’s basement,
drinking Mountain Dew out of the bottle with chips all around them. So girls have already developed this
resistance to it” (Setalvad). Nina
Levine, another teacher, observes that at a younger age, students from both
genders are equally interested in technology studies. She points out that as they get older, male
students tend to stay interested, whereas female students lose interest if they
are not encouraged to maintain it.
(Setalvad).
In the computer science industry in general, women account for only
about 25 percent of the workforce. For
cybersecurity, that percentage drops to only 10 to 15 percent (Setalvad). Bringing that percentage higher could make a
huge difference in meeting the demand for more cyber-security specialists.
K-12
For students:
In the landscape of K-12 education, students often have “a limited
knowledge of cyber-security”, and sometimes (especially at middle school and
below) even lack basic computer skills and understanding (Konak). In general, computer science is an
under-taught subject in K-12 classrooms in the U.S. According to a survey cited by Setalvad,
“only 12% of high school students even took a computer science course this last
year.” High school faculty often
overlook cybersecurity education in order to favor established programming or
robotics courses.
According to a survey conducted by Raytheon, “41 percent [of high school
students] said that during high school, at least one teacher, guidance or
career counselor, or other adult in an after-school program or extra-curricular
activity discussed or mentioned the idea of a career in cybersecurity.” This number is up from the previous year when
only 18 percent reported similar discussions.
It’s clear from these numbers that there has been some improvement in
the discussing of cyber-security principles in general. Sadly, the survey also reported that 64
percent of the students surveyed were not even offered computer classes as part
of their school’s curriculum. This
illustrates the gap in resources for K-12 students who could potentially pursue
education in cybersecurity.
To try to fill this gap, different organizations have tried to promote
cybersecurity through extracurricular activities and workshops. Konak and Setalvad give examples of workshops
aimed at middle school students that focus on cyphering and basic security
principles (for instance, password security).
The workshops use fun, engaging activities at an appropriate level of
understanding to excite interest in cybersecurity. Many of these types of workshops are run by groups
of college students, and are meant as an outreach to the community.
Watch the following video clip about a middle school outreach program:
CyberWatch West is another organization trying to fill this gap. As a program of the National Science
Foundation, CyberWatch West aims to promote cybersecurity education in K-12 and
colleges throughout the country through the use of hacking competitions,
events, and presentations. The goal of
the program is to grow interest in cybersecurity at an earlier education level
with the hopes that it will result in more cybersecurity professionals.
While these examples do demonstrate a growing effort to inform K-12
students about cybersecurity options, there is still a long way to go in
implementing cybersecurity as a part of regular curriculums.
For educators:
Another gap, as it relates to K-12 education, is the need for qualified
instructors to teach cybersecurity. As
with any other subject, teachers require accreditation in order to be able to
effectively teach a given subject.
Cybersecurity is no different; however, accreditation requires the
teachers to be taught, and that costs money.
There is also some debate on what should be included in cybersecurity
accreditation since the field of cybersecurity is a “dynamic, fluid
environment” (Conklin).
At present, cybersecurity education for teachers in the U.S. does not
include accreditation. What little
education teachers normally have comes from sources like the The National Cyber
Security Alliance (NCSA). The NCSA has
recently launched a new website and guidebook aimed at teachers and parents to
educate them on safe online practices, so that they can in turn educate their
students or children on those principles (“Teach Teenagers”). Educators are advised to teach students three
key safety lessons: protect privacy,
minimize negative publicity, and do not talk to strangers. The question remains, do these limited resources
and online guides provide teachers with enough information to be qualified in sharing
these same principles with their students?
Or is there a need for legitimate accreditation?
Currently, there appears to be a growing trend toward increasing the cybersecurity
knowledge base for teachers at the high school level. The National Science Foundation recently gave
a grant to a University of New Orleans professor in order to enable him to
educate 20 high school teachers on the basics of cybersecurity (“Cyber-Security
Training”). The program is
free-of-charge to the teachers, and includes lodging, travel, and meals. The desired goal of this program is to
educate teachers so that they will be more qualified to teach their
students. The expected outcome is that
more students will then be exposed to the principles of cybersecurity and have
a desire to pursue cybersecurity as a career.
In previous years, the same program was only allowed 15 teachers, so it
appears the government is getting more on board with teacher education for
cybersecurity, at least in the New Orleans area.
While accreditation is seriously lacking in the U.S., other countries
have already began to move in this direction.
In England, a new cybersecurity accreditation program is being launched
to enable teachers and schools to meet the increasing need for cybersecurity
education in public schools. Divided
into three levels, the new accreditation in “Cyber Awareness” for teachers will
also allow schools with a sufficient number of accredited teachers (and fulfill
other curriculum-based criteria) to be awarded the “Cyber-Aware Institution”
status. The three-stage accreditation
process requires teachers to learn cybersecurity principles, apply them, and
then lead others in learning and applying those same principles. The program is going to be rolled out to five
pilot schools around England this month, and will be formally launched in
September of 2015 as part of the TechFuture Teachers Programme (“New Cyber
Security Accreditation”).
Accreditation for cybersecurity educators, while moving towards a
mandatory status in other countries, remains an elusive goal in the United
States. Bridging this gap could make a
huge difference in the prolificacy of cybersecurity curriculum in our K-12
classrooms.
College
At the college level, cybersecurity as a topic of study is a little more
represented. Computer Science (CS)
majors are often presented opportunities to study cybersecurity as an elective;
however, colleges face major challenges in keeping their course offerings
relevant for the following reasons: “the
progressive nature of cyber-security and cyber-attacks and keeping curriculum
up-to-date, finding qualified instructors, competing resources and topics, lack
of proper lab and testing equipment, and dealing with a dynamic curriculum”
(Viveros).
According to Bilzor, there tends to be a trend towards the all-theory
approach in college-level cybersecurity courses. Bilzor contends that a truly relevant
curriculum must incorporate a good balance between theory and hands-on
experience, noting that theory-heavy courses tend to assume situations that are
idealized, and are not completely applicable in the real world. As Conklin puts it, these theory-driven
curriculums tend to assume “predictable, static infrastructure, when the
reality is a dynamic, fluid environment” (Conklin).
Workshops on cybersecurity aimed at both CS and non-CS college students
offer an interesting perspective on the role cybersecurity should play in the
general education curriculum. Jacobson
argues that basic cybersecurity education is important for both major and
non-major students in order to produce a better-prepared working class. The idea is that the principles learned in
college will carry over into each student’s professional life, ensuring a
higher level of security and safe internet practices in the workplace.
Believing in this same principle (and no doubt feeling the need for more
cybersecurity specialists within its own ranks), the federal government
currently funds a “Scholarships for Service” program through the National
Science Foundation. The “Scholarships
for Service” program gives scholarships to students, regardless of their major,
to study cyber-security topics. The
students are then expected to “pay back” their scholarships by working for the
federal government in a cyber-security position for a period of time equal to
the time during which they received the scholarship (Zacharias).
Organizations
The news has recently been full of stories about the hacking of personal
information from companies such as Target, Sony, and Home Depot. Even the U.S. government has not been exempt
from the rising tide of cyber-attacks.
Hackers recently went after the U.S. Postal Service, the State
Department, the White House, and the National Oceanic and Atmospheric
Administration (NOAA). According to
Benner, “experts have warned for months that corporate hackers are
using techniques once reserved for nation-state level warfare and they say an
attack on the nation’s largest businesses could disrupt commerce, livelihoods
and workers’ morale.” With all of
this hacking going on, the need for a workforce versed in cybersecurity has
become apparent.
Kansas City recently conducted a fake phishing attack on its own city
employees. Each employee was sent an
email with fake malicious links that asked the employee to reset their password
and give personal information. 280
employees gave away their personal information and login credentials during the
“attack”, demonstrating the need for improved cybersecurity awareness in the
workforce (Davis). Were this a real
attack, hackers would have been enabled to collect and manipulate information
in the municipal computer systems. The
sheer number of people who fell for this phishing test is no doubt
representative of a greater problem in both the private and government sectors.
Watch the following video clip about cybersecurity in corporations and the accreditation process:
https://www.youtube.com/watch?v=nR-yV0oNaH8
There are many advocates arguing for a national strategy to
develop a cybersecurity workforce that is both competent and large enough to
handle the ever-evolving threat of cyber-attacks. Published in 2009, Obama’s Cyberspace Policy
Review says the following:
“Existing cybersecurity training and personnel development programs, while good, are limited in focus and lack unity of effort. In order to effectively ensure our continued technical advantage and future cybersecurity, we must develop a technologically-skilled and cyber-savvy workforce and an effective pipeline for future employees” (McGettrick).
Since 2009, the number of workshops at the corporate and
government level has increased in order to develop such a workforce
(McGettrick).
Senior citizens
As the number of cyber-attacks rises, senior citizens have increasingly
found themselves the targets of such attacks.
According to a study by Cook, et. al., “elderly computer users with limited skill and knowledge
are left playing catch-up in an ever-widening gap in fundamental cyber-related
comprehension”. Cook argues that because
elderly computer users are more likely to accept initial information at face
value, they are more likely to be taken advantage of with cyber-attacks or
online scams. As Lobo illustrates,
“senior citizens have
become easy targets for cybercriminals given their trusting nature and poor
understanding on how voice and data services work. Cybercriminals and Spammers target these four
types of communication channels (voice, instant messaging, SMS and internet
telephone) to defraud senior citizens.”
As of this writing, there are
no major initiatives with a specific focus on educating senior citizens on the
basics of cybersecurity.
Conclusion
To conclude, there are many gaps in the long-term cybersecurity education
plan in the United States.
The government has instituted the National Initiative for Cybersecurity
Education (NICE) in an attempt to begin to fill these gaps. The three main focuses of NICE are education,
workforce development, and awareness. The
education component, working with the National Science Foundation and the U.S. Department
of Education, plans to enhance education for all citizens in kindergarten
through 12th grade, higher education, and vocational programs. The workforce development component offers
tools and resources for people pursuing or already working in a cybersecurity
career. The cybersecurity awareness
component is a public awareness campaign.
“Stop.Think.Connect” is a
national public awareness campaign initiated in 2010, and comprises the
awareness arm of NICE. Its main goal is to increase understanding of cyber-threats
and to assist the public in being safer and more secure online. The
“Stop.Think.Connect” website contains numerous resources including information
for parents, games and activities for kids, materials for students in K-12, and
more information from research to blogs for young professionals, business
people, and older Americans (“Stop.Think.Connect”).
While these programs are a good start, there is still much more to be
done to fill the gaps in our nation’s cybersecurity education program. This blog has given you a look into the
present state of things, and our group hopes you will begin to think about how
some of these gaps might be better filled.
Works Cited
Benner, Katie. “Is Corporate America Ready for Real Cyber-Security?” The
News Tribune. N.p., n.d. Web. 17 Apr. 2015.
Bilzor, Michael. "Seeking Balance in Cyber Education."
CrossTalk Online. CrossTalk: The Journal of Defense Software Engineering, 4
Jan. 2015. Web. 15 Apr. 2015.
Conklin, W.A., R.E. Cline, and T. Roosa. “Re-Engineering Cybersecurity
Education in the US: An Analysis of the Critical Factors.” 2014 47th Hawaii
International Conference on System Sciences (HICSS). N.p., 2014. 2006–2014.
Web.
Cook, David, et. al. “Securing the Elderly: A Developmental Approach to
Hypermedia Based Online Information Security for Senior Novice Computer Users.”
N.p., n.d. Web. 19 Apr. 2015.
"Cybersecurity Training for High School Teachers Will Be Offered in
New Orleans." The Times/Picayune Greater New Orleans Blog. The
Times/Picayune Greater New Orleans, 31 Mar. 2015. Web. 15 Apr. 2015.
Davis, Mark. "280 Kansas City Employees Fall for Fake Hack."
Kansas City Star. Kansas City Star, 26 Mar. 2015. Web. 28 Apr. 2015.
Jacobson, Doug, Julie Rursch, and Joseph Idziorek. "Workshop:
Teaching Computer Security Literacy to the Masses: A Practical Approach."
IEEE Xplore. Iowa State University, 2012. Web. 15 Apr. 2015.
Konak, Abdullah. "A Cyber Security Discovery Program: Hands-on
Cryptography." IEEE Xplore. Penn State Berks, 2014. Web. 15 Apr. 2015.
Lobo, Lucius. “Cyber Scams That Target Senior Citizens in India.”
Security Bloggers Network. N.p., n.d. Web. 19 Apr. 2015.
McGettrick, Andrew. "Report of a Workshop on Cybersecurity
Education and Training." (n.d.): n. pag. Acm, 30 Aug. 2013. Web. 19 Apr.
2015.
"National Initiative For Cybersecurity Education (NICE)." The
National Initiative for Cybersecurity Education (NICE). N.p., n.d. Web. 19 Apr.
2015.
“New Cyber Security Accreditation for Teachers and Schools.” N.p., n.d.
Web. 19 Apr. 2015.
Pruitt, Gina. “Reduce the Risk of Cyber-Security Threats with Education
and Training.”Nashville Business Journal. N.p., n.d. Web. 17 Apr. 2015.
Raytheon-NCSA. Preparing Millennials to Lead in Cyberspace October 2014
(2015): n. pag. Raytheon.com. Raytheon-NCSA, Oct. 2015. Web. 18 Apr. 2015.
Setalvad, Ariha. "Demand to Fill Cybersecurity Jobs Booming."
Peninsula Press. Stanford Journalism Program, 31 Mar. 2015. Web. 16 Apr. 2015.
"Stop.Think.Connect." Homeland Security. N.p., n.d. Web. 18
Apr. 2015.
“Teach Teenagers Cyber-Safety.” Inside School Safety (LRP Publications)
11.4 (2006): 2–2. Print.
Viveros, Marisa, and David Jarvis. "Cybersecurity Education for the
next Generation." IBM. IBM Center for Applied Insights, 25 Apr. 2013. Web.
16 Apr. 2015.
Zacharias, Maria C. "Cybersecurity: It's about Way More than
Countering Hackers." Nsf.gov. National Science Foundation, 30 Oct. 2014.
Web. 16 Apr. 2015.
